The application is on Couchbase Lite for Android v1.4.
The application is connected to a server on a local network with an encrypted local database. The user needs to enter its credentials before accessing the content of the app (and these credentials decrypt the local database).
I would like to delete the local database after 5 failed attempts to log in.
But I can’t delete it because to be able to delete an encrypted database we need to open it before (which would require the user to log in). The thing is, if the device is stolen and get outside of the local network, I do not want someone to brute force the password to access the local database.
How could I delete the encrypted database without the need of opening it? Opening it means letting the opportunity for someone to get access to it between the time the database is opened up and when it is deleted. Plus it would need to store the key of the database somewhere where the app has access to it.
To delete a database, you can delete the folder where your database is stored .
That said, I would be very cautious of your design to delete an encrypted database after N failed attempts.
That kinda defeats the purpose of encrypting a database - which is to ensure that only an authorized user can ever access it.
By using this N failed attempts criteria , you are essentially assisting a malicious user who can simply go around deleting user databases by making N failed login attempts. Is that what you really want to do ?
Not sure what your app does , but something to consider - assuming there is a web app as well, if a user does figure out the password, then all bets are off- they can just log in via their web app and wreck havoc.
Further more, what if its a valid user who has simply forgotten the password and inadvertently makes N wrong attempts . Is there a way to restore the lost database ?
To be more foolproof, my suggestion - I would think that a user who wants to delete their local database should have some OOB means to contact you to explicitly specify that they want to delete their database . Once you verify their credentials, you can then send a push notification over to your app that will trigger a delete of the database for instance…
Thanks for your suggestion. I understand why, in a multi-plateform, web based environnement, we shouldn’t implement the “delete after N attempts”. But in our use case, the sync gateway is running on an intranet and only accessible through the few devices that are allowed to log in.
The fear of the user losing all it’s data is not worrying me a lot because:
- The mechanism should only delete the database locally and not triggering the deletion of the documents on the remote Sync gateway.
- All of our users are professionals using our app as a professional tool and they shouldn’t forgot their password neither they should risk to lose local data (they would be warned before attempting the N-1 or N-3 attempt).
The major reason why we would like this “N attempt” mechanism is to prevent from someone trying to brute-force a stolen device (because devices might be stolen, it’s a real risk).
But you get a point when saying some malicious user could delete local data by forcing the “N attempt”.
I will have to see what we fear the most: deletion of non-synced documents or brute-forcing the credentials (when I say “brute-forcing” it could only be someone trying the 10 more commons passwords and successfully enter the app). But that’s something I need to discuss with my team.
Thanks for pointing this out.